TLS fieldsedit

TLS-specific event fields.

tls.version

type: keyword

example: TLS 1.3

The version of the TLS protocol used.

tls.handshake_completed

type: boolean

Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.

tls.resumed

type: boolean

If the TLS session has been resumed from a previous session.

tls.resumption_method

type: keyword

If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.

tls.client_certificate_requested

type: boolean

Whether the server has requested the client to authenticate itself using a client certificate.

tls.client_hello.version

type: keyword

The version of the TLS protocol by which the client wishes to communicate during this session.

tls.client_hello.supported_ciphers

type: array

List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

tls.client_hello.supported_compression_methods

type: array

The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml

extensions fieldsedit

The hello extensions provided by the client.

tls.client_hello.extensions.server_name_indication

type: keyword

List of hostnames

tls.client_hello.extensions.application_layer_protocol_negotiation

type: keyword

List of application-layer protocols the client is willing to use.

tls.client_hello.extensions.session_ticket

type: keyword

Length of the session ticket, if provided, or an empty string to advertise support for tickets.

tls.client_hello.extensions.supported_versions

type: keyword

List of TLS versions that the client is willing to use.

tls.server_hello.version

type: keyword

The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.

tls.server_hello.selected_cipher

type: keyword

The cipher suite selected by the server from the list provided by in the client hello.

tls.server_hello.selected_compression_method

type: keyword

The compression method selected by the server from the list provided in the client hello.

extensions fieldsedit

The hello extensions provided by the server.

tls.server_hello.extensions.application_layer_protocol_negotiation

type: array

Negotiated application layer protocol

tls.server_hello.extensions.session_ticket

type: keyword

Used to announce that a session ticket will be provided by the server. Always an empty string.

tls.server_hello.extensions.supported_versions

type: keyword

Negotiated TLS version to be used.

client_certificate fieldsedit

Certificate provided by the client for authentication.

tls.client_certificate.version

type: long

X509 format version.

tls.client_certificate.serial_number

type: keyword

The certificate’s serial number.

tls.client_certificate.not_before

type: date

Date before which the certificate is not valid.

tls.client_certificate.not_after

type: date

Date after which the certificate expires.

tls.client_certificate.public_key_algorithm

type: keyword

The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.

tls.client_certificate.public_key_size

type: long

Size of the public key.

tls.client_certificate.signature_algorithm

type: keyword

The algorithm used for the certificate’s signature.

tls.client_certificate.alternative_names

type: array

Subject Alternative Names for this certificate.

tls.client_certificate.raw

type: keyword

The raw certificate in PEM format.

subject fieldsedit

Subject represented by this certificate.

tls.client_certificate.subject.country

type: keyword

Country code.

tls.client_certificate.subject.organization

type: keyword

Organization name.

tls.client_certificate.subject.organizational_unit

type: keyword

Unit within organization.

tls.client_certificate.subject.province

type: keyword

Province or region within country.

tls.client_certificate.subject.common_name

type: keyword

Name or host name identified by the certificate.

issuer fieldsedit

Entity that issued and signed this certificate.

tls.client_certificate.issuer.country

type: keyword

Country code.

tls.client_certificate.issuer.organization

type: keyword

Organization name.

tls.client_certificate.issuer.organizational_unit

type: keyword

Unit within organization.

tls.client_certificate.issuer.province

type: keyword

Province or region within country.

tls.client_certificate.issuer.common_name

type: keyword

Name or host name identified by the certificate.

tls.client_certificate.fingerprint.md5

type: keyword

Certificate’s MD5 fingerprint.

tls.client_certificate.fingerprint.sha1

type: keyword

Certificate’s SHA-1 fingerprint.

tls.client_certificate.fingerprint.sha256

type: keyword

Certificate’s SHA-256 fingerprint.

server_certificate fieldsedit

Certificate provided by the server for authentication.

tls.server_certificate.version

type: long

X509 format version.

tls.server_certificate.serial_number

type: keyword

The certificate’s serial number.

tls.server_certificate.not_before

type: date

Date before which the certificate is not valid.

tls.server_certificate.not_after

type: date

Date after which the certificate expires.

tls.server_certificate.public_key_algorithm

type: keyword

The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.

tls.server_certificate.public_key_size

type: long

Size of the public key.

tls.server_certificate.signature_algorithm

type: keyword

The algorithm used for the certificate’s signature.

tls.server_certificate.alternative_names

type: array

Subject Alternative Names for this certificate.

tls.server_certificate.raw

type: keyword

The raw certificate in PEM format.

subject fieldsedit

Subject represented by this certificate.

tls.server_certificate.subject.country

type: keyword

Country code.

tls.server_certificate.subject.organization

type: keyword

Organization name.

tls.server_certificate.subject.organizational_unit

type: keyword

Unit within organization.

tls.server_certificate.subject.province

type: keyword

Province or region within country.

tls.server_certificate.subject.common_name

type: keyword

Name or host name identified by the certificate.

issuer fieldsedit

Entity that issued and signed this certificate.

tls.server_certificate.issuer.country

type: keyword

Country code.

tls.server_certificate.issuer.organization

type: keyword

Organization name.

tls.server_certificate.issuer.organizational_unit

type: keyword

Unit within organization.

tls.server_certificate.issuer.province

type: keyword

Province or region within country.

tls.server_certificate.issuer.common_name

type: keyword

Name or host name identified by the certificate.

tls.server_certificate.fingerprint.md5

type: keyword

Certificate’s MD5 fingerprint.

tls.server_certificate.fingerprint.sha1

type: keyword

Certificate’s SHA-1 fingerprint.

tls.server_certificate.fingerprint.sha256

type: keyword

Certificate’s SHA-256 fingerprint.

tls.server_certificate_chain

type: array

Chain of trust for the server certificate.

tls.client_certificate_chain

type: array

Chain of trust for the client certificate.

tls.alert_types

type: keyword

An array containing the TLS alert type for every alert received.

fingerprints fieldsedit

Fingerprints for this TLS session.

ja3 fieldsedit

JA3 TLS client fingerprint

tls.fingerprints.ja3.hash

type: keyword

The JA3 fingerprint hash for the client side.

tls.fingerprints.ja3.str

type: keyword

The JA3 string used to calculate the hash.